![Page 1: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/1.jpg)
Cyber Security,Information Assurance
Richard HaleChief Information Assurance ExecutiveDefense Information Systems Agency
April 8, 2008
![Page 2: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/2.jpg)
2
Bad Guys
![Page 3: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/3.jpg)
3
Bad Guy Motivation:Gain Military Advantage by…
![Page 4: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/4.jpg)
4
Knowing what we’re going to door what we’re likely
to do
Knowing what we’re going to door what we’re likely
to do
Slowing our
decision cycle
Slowing our
decision cycle
Fuzzing up our view of reality
– By changing information–By participating directly in
our decisions (by masquerading as us)
Fuzzing up our view of reality
– By changing information–By participating directly in
our decisions (by masquerading as us)
Making our weapons work in unexpected ways
Making our weapons work in unexpected ways
Etc.Etc.
Causing us to lose faith in each other
Causing us to lose faith in each other
![Page 5: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/5.jpg)
5
Sophisticated Adversariesaka Really Capable Bad Guys
• Have a military or intelligence mission in mind• Will plan and select the plan with the best
combination of effectiveness, (low) risk to the adversary, and cost
• Are very patient, analytical, methodical, and quiet
• Have advanced resources and tradecraft• Can select the attack method, the target, the
time, and the place
![Page 6: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/6.jpg)
6
What’s Our Business?
…Twin Goals for Cyber Security/Information Assurance
![Page 7: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/7.jpg)
7
1. Ensuring that our customers can depend on information and on the information infrastructure in the face of physical and cyber attack
(Mission Assurance, or, we’re all really dependability experts)
![Page 8: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/8.jpg)
8
2. Ensuring that our customers can keep a secret (when they want to)
… and doing both while sharing as broadly as possible
![Page 9: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/9.jpg)
9
Keeping a Secret(While Sharing Broadly)
Not so SecretSecret Public
1 10 100 . . . 109
Number of People With Access
![Page 10: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/10.jpg)
10
My Customers
Anyone in DoD, and anyone involved in a mission important to DoD
We often don’t know in advance with whom DoD will be working
![Page 11: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/11.jpg)
11
My Oversimplification of How DoD Is Pursuing These IA
(and sharing) Goals
![Page 12: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/12.jpg)
12
Part 1
Limit exposure of vulnerabilities by
– Removing as many of these vulnerabilities as possible (e.g. encrypt when appropriate, configurethings securely, remove unnecessary functions, eliminate passwords)
– Layering protections that incrementally limit the population with access to a given vulnerability (defense-in-depth)
– Designing what DoD looks like to partners, to the public, to adversaries
![Page 13: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/13.jpg)
13
Part 2
Drive-out anonymity (and enable net-centricity and improve sharing) by broad use of non-spoofable cyber identity credentials (aka PKI)– Minimize whole classes of worries; brings
accountability, worries some classes of bad guys
Build and operate an attack detection and diagnosis capability that allows rapid, sure, militarily useful reaction to cyber attacks
Improve joint, coalition, interagency, & industry partner cyber operations/ NETOPS so the above is possible
![Page 14: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/14.jpg)
14
The Basics: Secure Configuration
(Or…configuring everything securely, keeping everything configured
securely, and ensuring the right people know this is so, or not so)
![Page 15: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/15.jpg)
15
1. Define: Configuration guides with NSA, NIST, industry, military services, DISA
2. Buy it pre-configured
3. Configure it (Automate)
4. Measure it (Automate)
5. Change it (Automate)
6. Report it (Automate)
Big win: (NSA/NIST/AF/DHS/DISA/Microsoft/OMB):
Federal Desktop Core Configuration
Big win: (NSA/NIST/AF/DHS/DISA/Microsoft/OMB):
Federal Desktop Core Configuration
![Page 16: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/16.jpg)
16
Security Content Automation ProtocolSCAP
• Name for family of cyber security data standards– Configuration description– Configuration measurement– Vulnerability– Etc.
• NIST in the lead in defining; many are used now• Goals is to improve sharing and improve
automation– Ex. “STIG” content can be machine readable and
consumed by any compliant tool– DoD can purchase automation tools from any vendor that
complies
![Page 17: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/17.jpg)
17
Information Sharing in the Federal Government
Or, What System-High Wrought
![Page 18: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/18.jpg)
18
NIPRNET
SIPRNET
JWICS
Internet
![Page 19: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/19.jpg)
19
Sharing With Allies
![Page 20: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/20.jpg)
20
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1NATO
CFBLnet
CENTRIXS2
Centrixs3Bi-lat
abcabc
aa
a
Unclassified
Unclassified
![Page 21: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/21.jpg)
21
Q. Does all of this stuff really require system-high separation?
A. (My theory, although many others have concluded the same thing.)Nope. Some of these networks can be treated as separate communities within a single network infrastructure
The CCER. The JCS & COCOMs & NII have asked DISA & NSA, to develop and deploy a method of consolidating several of the large CENTRIXS– CENTRIXS cross enclave requirement (or CCER)
![Page 22: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/22.jpg)
22
Sharing in the Interagency
![Page 23: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/23.jpg)
23
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS 1NATO
CFBLnet
CENTRIXS 2
centrixs3Bi-lat
abcabc
aa
a
New Federal Interconnect net?
Federal, State, & LocalClassified Net ?
Federal Classified Net
![Page 24: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/24.jpg)
24
A Typical Netcentric Mission Thread
(or, sharing in spite of system high)
![Page 25: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/25.jpg)
25
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1NATO
CFBLnet
CENTRIXS2
centrixs3Bi-lat
abcabc
aa
a
![Page 26: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/26.jpg)
26
How Exactly Does That Sharing Work?
![Page 27: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/27.jpg)
27
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1
CFBLnet
CENTRIXS2
Centrixs3Bi-lat
abcabc
aa
a
Sharing Part 1: That’s What We Do With All That Cross Domain Stuff
NATO
![Page 28: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/28.jpg)
28
The Unified Cross Domain Management Office
• Intelligence Community and DoD effort to manage cross domain efforts– Approve standard products– Help customers find existing or modifiable technologies
before developing more– Oversee the provision of cross-domain as a network
service– Monitor technology development– Improve MLS certification and accreditation process
• As part of overall IC/DoD C&A re-engineering
![Page 29: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/29.jpg)
29
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1
CFBLnet
CENTRIXS2
Centrixs3Bi-lat
abcabc
aa
a
Sharing Part 2: Better DMZs Between DoD and Non-DoD
NATO
DoD DMZs
![Page 30: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/30.jpg)
30
DoD DMZs
Publicly Visible Serversin DMZ
Internet
Internal Servers
User Workstations
Firewalls With Tight, Customized Configurations
Enterprise Backbone
![Page 31: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/31.jpg)
31
Sometimes There Is A Separate DMZ For Close Partners
Internet-Facing DMZ
Internet
Internal Servers User Workstations
Partner Facing, or
EXTRANET DMZ
To Partners
![Page 32: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/32.jpg)
32
The Extranet DMZs May Be Attached to a Private Network, or Extranet
ExtranetDMZ
Corporation 1
Unclassified
Extranet DMZ
Corporation 2
Extranet DMZ
Corporation 3
![Page 33: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/33.jpg)
33
Unclassified Sharing in the Interagency?
One Result of the Trusted Internet Connection Initiative?
![Page 34: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/34.jpg)
34
ExtranetDMZ
Agency 1
Unclassified
Extranet DMZ
Agency 2
Extranet DMZ
Agency 3
Internet DMZ Internet
DMZ
Internet DMZ
Internet
![Page 35: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/35.jpg)
35
Other TIC Thoughts Based on DoD Lessons
• DoD has evolved various connection approval, compliance assessment, enforcement, and exception processes– These will likely need to be replicated in the inter-agency– Compliance enforcement must have teeth
• Partners ALWAYS have internet connections so connect to them via partner/extranet DMZs and monitor these as you would an internet connection
• Clear lines of authority for management of the connections is essential
• Sharing the attack detection and diagnosis data from the connection points is essential
![Page 36: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/36.jpg)
36
A Little Bit About Driving Out Anonymity:
PKI and Cyber Identity Credentials(DoD PKI and Other PKIs)
![Page 37: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/37.jpg)
37
First, a bit about Bad Guys and Directories
(and why we have Public Key Infrastructures)
Unclassified
Unclassified
![Page 38: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/38.jpg)
38
Publishing Public Keys: the old days
Bill Smith A Public Key
John Smith A Public Key
Sam Smith A Public Key
The Directory
…One public key looks pretty much like any other
![Page 39: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/39.jpg)
39
Publishing Public Keys: Now
Bill Smith A Public Key
Trustworthy Third Party’s Signature That Binds the
Name and Key Cryptographically
A PKI Certificate
Increased assurance that Bill’s public key is really his, and not
John’s or Sam’s
![Page 40: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/40.jpg)
40
An Important Detail…
• Bill still needs to protect the other piece of the credential…the private key
![Page 41: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/41.jpg)
41
The DoD PKI• Primarily identity credentials for people (for now)• Issuance tied to the pool of people identity in
DoD…DEERS• Single trust root, although credentials issued by
many subordinate certificate authorities• Asserts very little other than the tie between a
name and a public key– Must find those other tidbits about Richard Hale from
other sources• Private keys (mostly) stored on the Common
Access Card, or CAC• Credential quality depends on many, many things…
![Page 42: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/42.jpg)
42
DoD PKI Credential Quality(How Much Can I Trust This Credential I’ve Been
Presented?)
Cre
dent
ial Q
ualit
y
Time
Use of DEERSIdentity system
Use of hardware token(CAC) for the private key
Use of HardwareCrypto in CAs
![Page 43: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/43.jpg)
43
Lots of Assurance Increases in the Works for DoD & Other PKIs
• Improved cryptography (elliptic curve)• Stronger protection of private keys, alternate tokens• Better identity vetting of individuals before issuing a
credential• Stronger protocols between the certificate authority
and the place the keys are generated• More auditing• Etc., etc., etc.
![Page 44: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/44.jpg)
44
Sharing & Application Agility:The Service Oriented Architecture
(We’ll come back to my cyber identity credential, and some of its uses)
![Page 45: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/45.jpg)
45
The Simple View of the SOA
Service Interface
Service ProviderService Provider
ServiceConsumerService
Consumer
The WAN
![Page 46: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/46.jpg)
46
What’s Behind the Service Interface?
Firewall
Ap Switch
Ap Server
Router
Ap Server Ap Server
Ap Switch
Ap Switch
Database Server
Database Server
Database Server
VPN crypto
Hosting Center
Router Router
Router
The WAN
![Page 47: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/47.jpg)
47
Dependable SOA Poses a Question
• Each service consumer relies on some sort of statement by the service provider on the service being consumed
• Provider asserts things like– Reliability of the service (in the face of equipment failure,
circuit failure, natural disaster, cyber attack, whatever)– Accuracy of information– Performance, etc.
How does the consumer know whether to believe the claims?
How does the consumer know whether to believe the claims?
![Page 48: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/48.jpg)
48
Answers?• Traditionally, a contract between supplier and
consumer defines the terms of service• In DoD and the IC, this isn’t exactly how we work• But, we could invent a scheme of point-to-point
MOAs. But, this doesn’t scale, even if we could figure out enforcement
• But, important missions, people’s lives, and all sorts of things may depend on the service
So, I think a third party must verify the service providers’ claim, then publish the findings– (a Certifier, a Tester?)
![Page 49: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/49.jpg)
49
Who Spot Checks These Claims?
• To ensure the service provider is continuing to satisfy the claims on which our consumer is depending
• Certifier?• Tester?• Blue Team? (Acting on behalf of both the consumer
and the provider?)
Unclassified
Unclassified
![Page 50: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/50.jpg)
50
Isn’t This a Lot of Trouble Over Something That’s Not That Hard?
Unclassified
Unclassified
![Page 51: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/51.jpg)
51
Composition of Services into an Application
Our service is a participant in a composedapplication serving a soldier in the field
![Page 52: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/52.jpg)
52
Many Service Providers
“Dependability in the Face of Cyber Attack”
![Page 53: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/53.jpg)
53
Back to Sharing While Keeping a Secret
![Page 54: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/54.jpg)
54
If We Have Thousands of Services, Can an Access-Control-List Access Model Work?
Enter … Attribute-Based Access Control
• Important in the SOA going forward– Scale– Policy flexibility (share information with
unanticipated person without having to give the person an account)
![Page 55: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/55.jpg)
55
Step 1. Determine that it’s really me
Step 2. Then, learn things about the real mebefore deciding to take a risk on me
Before:Allowing me to access information,Allowing me to act in a certain role,
Doing business with me, etc.
![Page 56: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/56.jpg)
56
Step 1: I present my PKI credential and use my private key to authenticate.
Then, all that stuff about me comes into play
![Page 57: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/57.jpg)
57
Who Knows, Who Tells the Things About Me?
I DoBut if you don’t know me, will
you trust what I say?
Others DoYou might trust some of what others say about me (attributes about me)
![Page 58: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/58.jpg)
58
Attribute-Based Access Control
DataDataServiceConsumerService
Consumer
Policy Decision Service
Policy Enforcement
Point
ServiceProvider
Request(with PKI authentication)
Attribute Store Attribute Store
AttributesManor Machine
![Page 59: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/59.jpg)
59
Are Those Attributes Worthy of The Service Provider’s Trust?
![Page 60: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/60.jpg)
60
Attributes and the Directory Problem• Tight tie between me and my public key provided by
my PKI cert (and by careful design of the issuance process)
• Where’s the tight tie between me (my name or some other unique identifier) and an attribute about me?
• Who is authoritative for particular information about me?
How does a relying party know that my credit score, my clearance, my role, my
grades, are really mine?
How does a relying party know that my credit score, my clearance, my role, my
grades, are really mine?
![Page 61: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/61.jpg)
61
Incident & AttackDetection, Diagnosis, and Reaction
![Page 62: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/62.jpg)
62
The Computer Network Defense Process
• Detect the incident or attack or problem (hopefully before it’s launched)
• Diagnose what’s going on• Develop militarily useful courses of action• Pick one• Execute it• Then follow up
All in militarily useful time
![Page 63: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/63.jpg)
63
Realistic NETOPS Tactics, Techniques, Strategies
• This may (at any time) be a war fight• Development of effective NETOPS war fighting
tactics, etc. must be done by considering realistic adversaries
• Then we must practice these (and practice, practice, practice these)
• Practice at all levels of organizations, from individuals to small groups to ops centers to multiple ops centers…– You get the idea
![Page 64: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/64.jpg)
64
This Also Requires Broad Sharing
• Sharing of raw sensor data, partial incident data, and more fully analyzed incidents is also critical– If we’re to do this fast, and broadly across government
and industry– So, IMHO we’ve got to set standards for protecting
this stuff so we’re all willing to share…
![Page 65: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/65.jpg)
65
DoD Sets Standards and Accredits Computer Network Defense Service
Providers
• The Interagency, industry, others will likely have to do this too
![Page 66: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/66.jpg)
66
To Summarize…
![Page 67: Cyber Security, Information Assurance · Cyber Security/Information Assurance. 7 1. Ensuring that our customers can depend on information and on the information infrastructure in](https://reader033.vdocument.in/reader033/viewer/2022053006/5f0a3f577e708231d42ab9e2/html5/thumbnails/67.jpg)
67
1. Dependability in the Face of Cyber Attack
2. Keeping a Secret
Both While Simultaneously Sharing Information Broadly